Yes, XP changed the way to enter kernel:
:u ZwCreateProcess
_NtCreateProcess
001B:77F7E6A3 B82F000000 MOV EAX,0000002F
001B:77F7E6A8 BA0003FE7F MOV EDX,7FFE0300
001B:77F7E6AD FFD2 CALL EDX
001B:77F7E6AF C22000 RET 0020
:u 7FFE0300
001B:7FFE0300 8BD4 MOV EDX,ESP
001B:7FFE0302 0F34 SYSENTER
001B:7FFE0304 C3 RET
Just change your GetThunkCode a bit and check OS to see what version to use.
As for driver crash; if you’re doing such a change, you should see why it
crashes. If memory protection causes it, examine and try to change WP bit in
CR0.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From:
xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, November 14, 2001 10:14 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] Kernel mode device driver problem -
KeServiceDescriptorTableI have an app and driver that works on NT4 through Windows 2000 SP2 that
fails on Windows XP. In user mode we would call GetProcAddress as
follows:BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG ntParams);
HMODULE hNtDll;
FARPROC pFunc;
if (hNtDll = LoadLibrary(“NTDLL.DLL”))
{
if ((pFunc = GetProcAddress(hNtDll,“ZwCreateProcess”)) == NULL
||!GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
&pInitBlock->CreateProcessHookBlock.ParamCount))
{
FreeLibrary(hNtDll);
return 0;
}
}This would get the address of the function in ntdll, we would then
extract the service id and number of bytes required for the parameters
using the below function:static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
ntParams)
{
#pragma pack(1)
typedef struct _NTFUNC_BLOCK
{
UCHAR moveeax;
ULONG thunkCode;
UCHAR stuff[4];
UCHAR insint;
UCHAR vector;
UCHAR insret;
USHORT params;
}
* PNTFUNC_BLOCK;
PNTFUNC_BLOCK pNtFunc;
#pragma pack()pNtFunc = (PNTFUNC_BLOCK) funcPtr;
if (pNtFunc->moveeax != 0xb8)
return FALSE;
if (pNtFunc->insint != 0xcd)
return FALSE;
if (pNtFunc->vector != 0x2e)
return FALSE;
if (pNtFunc->insret != 0xc2)
return FALSE;
*ntCode = pNtFunc->thunkCode;
*ntParams = pNtFunc->params/sizeof(ULONG);
return TRUE;
}The problem is that the function no longer returns the information the
same way that it used to. We would then pass this information
(thunkCode and number of params) to the driver which would hook into the
KeServiceDescriptorTable replacing the real CreateProcess function with
our own.Also, when I try to write to the KeServiceDescriptorTable at any
serviceID, the driver immediately crashes. Did XP change the memory
protection of the KeServiceDescriptorTable?In short, the address that we get back from GetProcAddress no longer has
the same format - does anyone know the new format? If I can find the
correct ServiceID for the KeServiceDescriptorTable, can I still replace
the old address with a new one, or is it protected memory now?Thanks,
Jeremy
You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com